Multiple Web Server Encoded Space (%20) Request ASP Source Disclosure

2002-08-1400:00:00

www.tenable.com

196

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.021 Low

EPSS

Percentile

89.1%

JSON

It appears possible to get the source code of the remote ASP scripts by appending a ‘%20’ to the request.

ASP source code usually contains sensitive information such as logins and passwords.

This has been reported in Simple HTTPD (shttpd), Mono XSP for ASP.NET and vWebServer. This type of request may affect other web servers as well.

#
# (C) Tenable Network Security, Inc.
#

# Script audit and contributions from Carmichael Security
#      Erik Anderson <[email protected]>
#      Added BugtraqID and CAN
#
# References:
# Date:  Fri, 29 Jun 2001 13:01:21 -0700 (PDT)
# From: "Extirpater" <[email protected]>
# Subject: 4 New vulns. vWebServer and SmallHTTP
# To: [email protected], [email protected]
#


include("compat.inc");

if(description)
{
 script_id(11071);
 script_version("1.39");
 script_set_attribute(attribute:"plugin_modification_date", value:"2021/06/03");

 script_cve_id("CVE-2001-1248", "CVE-2007-3407");
 script_bugtraq_id(2975);
 script_xref(name:"Secunia", value:"25809");

 script_name(english:"Multiple Web Server Encoded Space (%20) Request ASP Source Disclosure");
 script_summary(english:"Downloads the source of ASP scripts");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by an information disclosure
vulnerability." );
 script_set_attribute(attribute:"description", value:
"It appears possible to get the source code of the remote ASP scripts
by appending a '%20' to the request. 

ASP source code usually contains sensitive information such as logins
and passwords.

This has been reported in Simple HTTPD (shttpd), Mono XSP for ASP.NET
and vWebServer. This type of request may affect other web servers as
well." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2006/Dec/326" );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2007/Jun/260" );
 script_set_attribute(attribute:"solution", value:
"There is no known solution at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:U/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:U/RC:C");
 script_set_attribute(attribute:"cvss_score_source", value:"CVE-2001-1248");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
	
 script_set_attribute(attribute:"plugin_publication_date", value: "2002/08/14");
 script_set_attribute(attribute:"vuln_publication_date", value: "2001/06/29");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();
 
 script_category(ACT_ATTACK);
 
 script_copyright(english:"This script is Copyright (C) 2002-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
 script_family(english: "Web Servers");

 script_dependencies("find_service1.nasl", "webmirror.nasl", "http_version.nasl", "www_fingerprinting_hmap.nasl");
 script_require_ports("Services/www", 80);
 script_require_keys("www/ASP");
 exit(0);
}

#
# The script code starts here
#
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

global_var	port;

function check(file)
{
  local_var	r, report;
  r = http_send_recv3(method: "GET", item:file + "%20", port:port, exit_on_fail: 1);
  if ( empty_or_null(r) || empty_or_null(r[2]) || r[0] !~ "^HTTP/.* 200 ") 
    exit(0);

  if ("Content-Type: application/octet-stream" >< r[1])
  {
    if (report_verbosity > 0)
    {
      report = 
        '\n' + "Nessus was able to retrieve the source of '" + file + "' by sending" +
        '\nthe following request :' +
        '\n' +
        '\n  ' + build_url(port:port, qs:file+'%20') + '\n';

      if (report_verbosity > 1)
      {
        local_var res;
        res = r[0] + r[1] + '\r\n';
        if (!isnull(r[2])) res += r[2];

        report += 
          '\nHere is the full response :' +
          '\n' +
          '\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + 
          '\n' + res +
          crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n';
      }
      security_warning(port:port, extra:report);
    }
    else security_warning(port);
    return(1);
  }
  if (("<%" >< r[2]) && ("%>" >< r[2])) 
  {
    if (report_verbosity > 0)
    {
      report = 
        '\n' + "Nessus was able to retrieve the source of '" + file + "' by sending" +
        '\nthe following request :' +
        '\n' +
        '\n  ' + build_url(port:port, qs:file+'%20') + '\n';

      if (report_verbosity > 1)
      {
        report += 
          '\nHere it is :' +
          '\n' +
          '\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + 
          '\n' + r[2] +
          crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n';
      }
      security_warning(port:port, extra:data_protection::sanitize_user_paths(report_text:report));
    }
    else security_warning(port);
    return(1);
  }
 return(0);
}


port = get_http_port(default:80, asp: 1);

if(check(file:"/default.asp"))exit(0);
files = get_kb_list("www/" + port + "/content/extensions/asp");
if(isnull(files))exit(0);
files = make_list(files);
check(file:files[0]);